/    Sign up×
Community /Pin to ProfileBookmark

ability to input text not in a dropdown menu

Copy linkTweet thisAlerts:
Feb 23.2006

Is it possible for someone to input their own text into an input field that is a dropdown menu? I have a dropdown menu that is PHP driven and somehow a customer was able to input a piece of text into the input that was not in the dropdown menu.

By doing this, it screwed up a bunch of PHP if statements on later pages, so I am trying to figure out how or if this is possible.

to post a comment
PHP

6 Comments(s)

Copy linkTweet thisAlerts:
@NogDogFeb 23.2006 — One way a malicious user can do this is to copy the page source from their browser, then change the select field to an input field and submit from their altered page. (Or, if they're a hard-core hacker, just manually create the raw post data and send it via HTTP.) Therefore, you should always validate any inputs which can have an adverse effect if not within a given set of values. (I suppose it's also possible they're using some non-standard browser that creats a combo box instead of a list box for select elements, but I'm not aware that any mainstream browsers do this.)
Copy linkTweet thisAlerts:
@HuevoosFeb 23.2006 — ...(I suppose it's also possible they're using some non-standard browser that creats a combo box instead of a list box for select elements, but I'm not aware that any mainstream browsers do this.)[/QUOTE]
Firefox + WebDeveloper extension, it allows you to convert select elements into text fields plus edit the html of a page + many other thingys is really usefull for testing your sites, but might aswell be used by the Dark Side
Copy linkTweet thisAlerts:
@NogDogFeb 23.2006 — Firefox + WebDeveloper extension, it allows you to convert select elements into text fields plus edit the html of a page + many other thingys is really usefull for testing your sites, but might aswell be used by the Dark Side[/QUOTE]
Interesting. Guess that just reinforces the point that you should never trust the incoming data from the client.
Copy linkTweet thisAlerts:
@chazzyFeb 23.2006 — If you use the $_GET or $_REQUEST arrays, anyone can use the query string to manipulate your form, FYI.
Copy linkTweet thisAlerts:
@rbailerauthorFeb 23.2006 — I checked out the firefox tool and its absolutely insane how much you can do with that (and scary at the same time).

I guess i am going to have to put some server side form validation on my forms for now on.
Copy linkTweet thisAlerts:
@SpectreReturnsFeb 24.2006 — This is kinda unrelated (but related at the same time), but does anyone know how to get the equivilent of the <select> working in PHP:GTK? The combo box with a locked input is close, but quite awkward.
×

Success!

Help @rbailer spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.9,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...